Regulations on gTLDs Usage

Last Updated: October 24, 2025

This document outlines the regulations, policies, and best practices governing the use of generic Top-Level Domains (gTLDs) within our services. Understanding these regulations is essential for compliant and effective domain management.

What are gTLDs?

Generic Top-Level Domains Explained

gTLDs are the suffixes at the end of domain names that indicate the domain's purpose or category.

Traditional gTLDs

Classic domain extensions:

• .com - Commercial (most popular)
• .org - Organizations
• .net - Network infrastructure
• .edu - Educational institutions (restricted)
• .gov - Government entities (restricted)
• .mil - Military (restricted)

New gTLDs

Expanded domain options (introduced 2013+):

• .app - Applications and software
• .blog - Blogging and content
• .shop - E-commerce and retail
• .tech - Technology companies
• .online - General online presence
• .cloud - Cloud services
• .ai - Artificial intelligence
• .io - Tech startups
• .co - Companies and corporations

Total Available: Over 1,200 gTLDs currently in use

Regulatory Framework

ICANN Governance

Internet Corporation for Assigned Names and Numbers

Role:

• Global coordinator of DNS and domain name system
• Sets policies for domain registries and registrars
• Manages new gTLD application process
• Enforces compliance with domain policies

Key Policies:

• Uniform Domain Name Dispute Resolution Policy (UDRP)
• Transfer Policy
• Expired Registration Recovery Policy
• Thick WHOIS requirements
• Registration Data Access Protocol (RDAP)

Registry Operators

Each gTLD is managed by a registry operator:

• Verisign - .com, .net
• Public Interest Registry - .org
• Google Registry - .app, .dev, .page
• Donuts Inc. - Multiple new gTLDs
• Individual Registry Operators - Specialized gTLDs

Registry Responsibilities:

• Maintain technical infrastructure
• Enforce usage policies
• Set pricing and registration terms
• Handle disputes and abuse
• Ensure DNS security and stability

National Regulations

United States

Regulatory Bodies:

• FCC - Communications regulations
• FTC - Consumer protection
• Department of Commerce - DNS oversight

Applicable Laws:

• Anticybersquatting Consumer Protection Act (ACPA)
• Computer Fraud and Abuse Act (CFAA)
• CAN-SPAM Act (email regulations)

European Union

GDPR Impact:

• WHOIS data privacy restrictions
• Personal data protection requirements
• Data transfer limitations
• Right to erasure considerations

eIDAS Regulation:

• Electronic identification standards
• Trust services for electronic transactions
• Domain validation requirements

Other Jurisdictions

Regional Considerations:

• Country-specific trademark laws
• Consumer protection regulations
• Data localization requirements
• Cross-border transfer restrictions

Permitted Uses

Acceptable Domain Usage

Commercial Use

Allowed Activities:

• ✅ Business websites and services
• ✅ E-commerce platforms
• ✅ Corporate email services
• ✅ Marketing and advertising
• ✅ Customer portals
• ✅ Professional services

Requirements:

• Comply with local business regulations
• Accurate WHOIS information
• Proper trademark usage
• Consumer protection compliance

Personal Use

Allowed Activities:

• ✅ Personal websites and blogs
• ✅ Portfolio and resume sites
• ✅ Family email domains
• ✅ Hobby and interest sites
• ✅ Personal branding

Requirements:

• Truthful registration information
• Non-commercial nature (for some gTLDs)
• Privacy protection options available

Organizational Use

Allowed Activities:

• ✅ Non-profit organizations (.org preferred)
• ✅ Educational institutions (.edu with verification)
• ✅ Professional associations
• ✅ Community groups
• ✅ Charitable organizations

Requirements:

• Proof of organizational status
• Compliance with tax-exempt regulations
• Mission-appropriate content
• Transparent operations

gTLD-Specific Restrictions

Restricted gTLDs

Some gTLDs have special requirements:

.edu (Educational)

• US accredited postsecondary institutions only
• Verification by EduCause required
• Must meet accreditation standards
• Annual verification process

.gov (Government)

• US federal, state, local government only
• Authorization from appropriate authority
• Security clearance requirements
• Strict usage policies

.mil (Military)

• US Department of Defense only
• Military authorization required
• Highest security standards
• Restricted access

Industry-Specific gTLDs

.bank and .insurance

• Verified financial institutions only
• Enhanced security requirements
• Regular compliance audits
• Industry association membership

.pharmacy

• Licensed pharmaceutical providers
• Verification by National Association of Boards of Pharmacy
• Compliance with drug regulations
• Prescription validation

.lawyer and .attorney

• Licensed legal professionals
• State bar verification
• Professional liability insurance
• Ethical compliance

Prohibited Activities

Illegal Uses

Activities strictly prohibited:

Criminal Activity

• ❌ Phishing and identity theft
• ❌ Fraud and financial scams
• ❌ Distribution of malware or viruses
• ❌ Hacking and unauthorized access
• ❌ Child exploitation material (CSAM)
• ❌ Drug trafficking or illegal sales
• ❌ Weapons trafficking
• ❌ Money laundering

Consequences:

• Immediate domain suspension
• Law enforcement notification
• Permanent ban from services
• Legal prosecution

Trademark Infringement

• ❌ Cybersquatting on trademarked names
• ❌ Typosquatting (misspelled famous brands)
• ❌ Trademark dilution
• ❌ Passing off or impersonation
• ❌ Unfair competition

UDRP Grounds for Transfer:

• Domain identical or confusingly similar to trademark
• Registrant has no legitimate rights
• Registered and used in bad faith

Spam and Abuse

• ❌ Mass unsolicited email (spam)
• ❌ Email harvesting and scraping
• ❌ Spoofing sender addresses
• ❌ Dictionary attacks
• ❌ Botnet command and control

Anti-Spam Compliance:

• CAN-SPAM Act (US)
• CASL (Canada)
• Privacy and Electronic Communications Regulations (UK/EU)

Content Restrictions

Prohibited Content

• ❌ Hate speech and discrimination
• ❌ Violence and terrorism
• ❌ Adult content (on non-adult gTLDs)
• ❌ Defamation and harassment
• ❌ Copyright infringement
• ❌ Misleading or deceptive content

Registry-Specific Policies

Some gTLDs have additional content restrictions:

• Religious gTLDs may prohibit opposing views
• Educational gTLDs restrict commercial content
• Professional gTLDs require industry-appropriate content
• Geographic gTLDs may require local presence

Registration Requirements

Identity Verification

Personal Information

Required for All Registrations:

• Full legal name
• Physical mailing address
• Email address
• Phone number
• Country of residence

Privacy Protection:

• WHOIS privacy available for eligible gTLDs
• Proxy registration services
• Redacted information per GDPR
• Balance privacy with accountability

Business Verification

For Commercial Registrations:

• Legal business name
• Business registration number
• Tax identification number
• Physical business address
• Authorized representative details

Enhanced Verification (Some gTLDs):

• Business registration documents
• Operating license verification
• Industry certifications
• Background checks

Accuracy Requirements

WHOIS Accuracy

Registrant Obligations:

• Maintain accurate and current information
• Update within 7 days of changes
• Respond to verification emails
• Provide truthful registration data

Verification Process:

• Email verification within 15 days
• Annual WHOIS accuracy reminders
• Periodic re-verification requirements
• Suspension for non-response

Consequences of Inaccuracy:

• Domain suspension
• Deletion per registry policy
• UDRP vulnerability
• Contract breach

Domain Management Policies

Transfer Policy

Authorized Transfers

Requirements:

• Domain unlocked by current registrant
• Authorization code (EPP code) obtained
• No recent transfers (60-day lock)
• No pending legal disputes
• Registrant approval confirmed

Transfer Process:

• Request authorization code
• Initiate transfer with new registrar
• Confirm via email authorization
• Transfer completes in 5-7 days
• Domain renewed for 1 year

Unauthorized Transfer Protection

Security Measures:

• Registrar lock enabled by default
• Two-factor authentication
• Transfer confirmation emails
• Dispute resolution procedures

If Unauthorized Transfer Occurs:

• Contact registrar immediately
• File ICANN complaint
• Initiate transfer reversal
• Document evidence

Renewal and Expiration

Renewal Requirements

Standard Process:

• Renewal notices sent 30, 15, 7 days before expiration
• Auto-renewal available
• Grace period after expiration (typically 30 days)
• Redemption period (30-90 days)
• Penalty fees during redemption
• Permanent deletion after redemption period

Consequences of Expiration:

• Email service interruption
• Website becomes unavailable
• Domain enters auction or drops
• Loss of SEO value and rankings
• Risk of competitors registering

Dispute Resolution

UDRP Process

Uniform Domain Name Dispute Resolution Policy:

Grounds for Complaint:

• Domain identical/similar to trademark
• No legitimate interest in domain
• Bad faith registration and use

Process:

• File complaint with approved provider
• Respondent has 20 days to respond
• Panel review (1 or 3 panelists)
• Decision within 45-60 days
• Domain transfer or retention

Costs:

• Single panelist: ~$1,500
• Three-panelist: ~$4,000
• Paid by complainant
• Split if respondent requests 3-panel

URS (Uniform Rapid Suspension)

Faster Process for Clear-Cut Cases:

• Lower cost (~$300-500)
• Faster decision (typically 14-21 days)
• Domain suspension (not transfer)
• Higher burden of proof
• Limited to obvious infringement

Compliance Requirements

Email Authentication

Required Security Records

SPF (Sender Policy Framework):

v=spf1 include:_spf.pupam.com ~all

• Prevents email spoofing
• Specifies authorized mail servers
• Improves deliverability

DKIM (DomainKeys Identified Mail):

• Cryptographic email signatures
• Verifies email authenticity
• Required for major email providers

DMARC (Domain-based Message Authentication):

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

• Email authentication policy
• Specifies handling of failures
• Provides reporting mechanism

Anti-Spam Compliance

CAN-SPAM Act Requirements:

• ✅ Accurate sender information
• ✅ Clear subject lines
• ✅ Identify message as advertisement
• ✅ Include physical address
• ✅ Provide unsubscribe mechanism
• ✅ Honor opt-outs within 10 days

GDPR Email Requirements:

• ✅ Explicit consent for marketing
• ✅ Easy unsubscribe option
• ✅ Privacy policy provided
• ✅ Data processing records
• ✅ Right to erasure compliance

Data Protection

GDPR Compliance (EU)

For .eu and European Users:

• Lawful basis for processing
• Data minimization principles
• Purpose limitation
• Storage limitation
• Data subject rights
• Data protection by design
• Records of processing activities
• Data breach notification (72 hours)

CCPA Compliance (California)

For California Residents:

• Privacy policy disclosure
• Right to know data collected
• Right to deletion
• Right to opt-out of sales
• Non-discrimination for exercising rights

Industry-Specific Regulations

Financial Services

For .bank, .insurance Domains:

• Enhanced security standards
• Regular security audits
• Incident reporting requirements
• Customer authentication protocols
• PCI DSS compliance (if processing payments)

Healthcare

For Medical/Healthcare Domains:

• HIPAA compliance (US)
• Patient data protection
• Secure communication channels
• Business Associate Agreements
• Breach notification requirements

Legal Services

For .lawyer, .attorney Domains:

• Professional conduct rules
• Attorney-client privilege protection
• Confidentiality requirements
• Conflict of interest disclosures
• State bar compliance

Enforcement and Penalties

Violation Consequences

First Offense

Actions:

• Warning notice issued
• Correction deadline provided (typically 7 days)
• Account review initiated
• Compliance assistance offered

Repeat Violations

Actions:

• Domain suspension (temporary)
• Service restrictions
• Financial penalties
• Enhanced monitoring

Severe Violations

Actions:

• Immediate domain suspension
• Account termination
• Domain confiscation/transfer
• Law enforcement notification
• Legal action
• Permanent service ban

Registry Actions

Registry Operators May:

• Suspend domains for abuse
• Remove domains from DNS
• Transfer domains (per UDRP)
• Blacklist registrants
• Implement enhanced verification
• Impose financial penalties

Legal Consequences

Civil Liability

Potential Claims:

• Trademark infringement
• Cybersquatting (up to $100,000 per domain)
• Contract breach
• Consumer protection violations
• Privacy violations (GDPR: up to €20M or 4% revenue)

Criminal Liability

Potential Charges:

• Wire fraud
• Identity theft
• Computer fraud and abuse
• SPAM violations ($250-$500 per email)
• CSAM possession/distribution
• Money laundering

Best Practices

Domain Selection

Choosing Appropriate gTLD

Consider:

• ✅ Business type and industry
• ✅ Target audience and market
• ✅ Brand identity and positioning
• ✅ SEO implications
• ✅ User trust and recognition
• ✅ Future expansion plans

Recommendations:

• .com for general business (most trusted)
• .org for non-profits
• .edu for education (if eligible)
• Industry-specific for specialized services
• Geographic for local businesses
• New gTLDs for modern branding

Trademark Considerations

Before Registration:

• Search trademark databases (USPTO, EUIPO)
• Check common law trademarks
• Review similar domain registrations
• Consider defensive registrations
• Consult trademark attorney if uncertain

Defensive Strategies:

• Register variations of your brand
• Register common misspellings
• Register multiple gTLDs
• Monitor trademark watch services
• Act quickly against infringements

Security Measures

Domain Protection

Essential Security:

• ✅ Enable registrar lock
• ✅ Use strong passwords
• ✅ Enable two-factor authentication
• ✅ Privacy protection service
• ✅ Auto-renewal enabled
• ✅ Monitor WHOIS changes
• ✅ Regular security audits

Email Security

Authentication Setup:

• Configure SPF records
• Implement DKIM signing
• Deploy DMARC policy
• Monitor DMARC reports
• Gradually enforce strict policies

Compliance Monitoring

Regular Reviews

Monthly Tasks:

• ✅ Review email authentication reports
• ✅ Check domain expiration dates
• ✅ Monitor trademark infringement
• ✅ Review access logs
• ✅ Update WHOIS information if changed

Quarterly Tasks:

• ✅ Security audit
• ✅ Compliance policy review
• ✅ Privacy policy update
• ✅ Staff training on regulations
• ✅ Incident response plan testing

Annual Tasks:

• ✅ Comprehensive security assessment
• ✅ Legal compliance audit
• ✅ Domain portfolio review
• ✅ Registry policy updates review
• ✅ Insurance and liability review

Resources and References

Regulatory Bodies

ICANN (Internet Corporation for Assigned Names and Numbers)

• Website: icann.org
• WHOIS Lookup: lookup.icann.org
• Complaint Center: icann.org/complaints

Regional Internet Registries:

• ARIN (North America): arin.net
• RIPE NCC (Europe): ripe.net
• APNIC (Asia-Pacific): apnic.net

Dispute Resolution

Approved UDRP Providers:

• WIPO Arbitration and Mediation Center: wipo.int/amc
• National Arbitration Forum: adr.org
• Asian Domain Name Dispute Resolution Centre: adndrc.org

Compliance Tools

DNS and Email Testing:

• MXToolbox: mxtoolbox.com
• DMARC Analyzer: dmarcian.com
• SSL Labs: ssllabs.com

Trademark Search:

• USPTO: uspto.gov/trademarks
• EUIPO: euipo.europa.eu
• WIPO Global Brand Database: wipo.int/branddb

Frequently Asked Questions

Can I use any gTLD for my business?

Most gTLDs are open for registration, but some have restrictions. Verify requirements before purchasing. We can help determine eligibility.

What happens if someone claims my domain infringes their trademark?

You'll receive a UDRP complaint notification. Consult legal counsel immediately. You have 20 days to respond with evidence of legitimate use.

Do I need privacy protection for my WHOIS data?

It's recommended for personal domains. Business domains may need to show legitimacy through public WHOIS. GDPR automatically redacts some data.

How do I ensure my domain email isn't flagged as spam?

Configure SPF, DKIM, and DMARC records correctly. Follow email best practices. Maintain good sender reputation. We provide setup assistance.

Can I transfer a domain to another person?

Yes, through a registrar transfer process. Both parties must agree. May require notarized documents for high-value domains. Transfer fees may apply.

What if I forget to renew my domain?

Grace period allows late renewal (30 days). Redemption period with penalties (30-90 days). After that, domain drops and anyone can register it.

Are there domains I should avoid registering?

Avoid trademarked names, celebrity names, government entities, or anything that could be considered cybersquatting. When in doubt, consult legal advice.

Contact Information

Compliance Support

General Compliance Questions:

• Email: compliance@pupam.com
• Phone: +1 (555) 123-COMPLY
• Hours: Monday-Friday, 9am-6pm EST

Legal Department

Legal and Trademark Issues:

• Email: legal@pupam.com
• Phone: +1 (555) 123-LEGAL

Technical Support

DNS and Email Configuration:

• Email: techsupport@pupam.com
• Phone: +1 (555) 123-TECH
• Available: 24/7

Disclaimer: This document provides general information about gTLD regulations. It does not constitute legal advice. Consult qualified legal counsel for specific situations. Regulations vary by jurisdiction and change over time. Always verify current requirements with appropriate authorities.

Last Reviewed: October 24, 2025
Next Review: January 24, 2026